Azure Trusted Signing fails for NSIS portable with a "file already exists" error

[phenaproxima]

I'm building an NSIS portable app for Windows and have Azure Trusted Signing set up. Here is my electron-builder.yml:

appId: 'org.drupal.cms-launcher'

# Not recommended by Electron Builder, but we need this for now so that
# the PHP and Composer executables are available to the launcher.
# @todo Can we use the `asarUnpack` option instead?
asar: false

dmg:
  contents:
    - name: 'Launch Drupal CMS.app'
      # The coordinates refer to the *center* of the icon, not the top-left corner.
      # @see https://www.electron.build/app-builder-lib.interface.dmgcontent#x
      x: 220
      y: 360
    # Figured out how define this link by looking at the Electron Builder source code:
    # @see https://github.com/electron-userland/electron-builder/blob/master/packages/dmg-builder/src/dmg.ts
    - path: '/Applications'
      type: link
      x: 430
      y: 360
  title: 'Drupal CMS'

# These fuses are adapted from Electron Forge's boilerplate.
electronFuses:
  runAsNode: false
  enableCookieEncryption: true
  enableEmbeddedAsarIntegrityValidation: true
  enableNodeOptionsEnvironmentVariable: false
  enableNodeCliInspectArguments: false
  onlyLoadAppFromAsar: false

mac:
  # By default, both a ZIP and a DMG are built. We only need a DMG.
  target: dmg

productName: 'Launch Drupal CMS'

win:
  azureSignOptions:
    certificateProfileName: drupal-association-cert-profile
    codeSigningAccountName: da-trusted-signing-001
    endpoint: https://wus2.codesigning.azure.net/
    publisherName: DrupalCon, Inc.
  # On Windows, build a portable app that doesn't require installation.
  target: portable

Signing fails -- doesn't look like it's actually able to get anything signed. The error is:

Command failed: pwsh.exe -NoProfile -NonInteractive -Command Invoke-TrustedSigning -Endpoint 'https://wus2.codesigning.azure.net/' -CertificateProfileName 'drupal-association-cert-profile' -CodeSigningAccountName 'da-trusted-signing-001' -TimestampRfc3161 'http://timestamp.acs.microsoft.com/' -TimestampDigest 'SHA256' -FileDigest 'SHA256' -Files 'D:\a\cms-launcher\cms-launcher\dist\win-unpacked\resources\app\djpeg.exe'

(For the record, I'm on a Mac. All the Windows stuff is happening on GitHub Actions.)

Here's the full build log, linked to the failing part: https://github.com/drupal/cms-launcher/actions/runs/14692164167/job/41228973797?pr=54#step:10:24

The workflow in question (the Create application bundle step is probably the relevant one here):

name: Windows

on:
  push:
    branches:
      - main
      # PR branches that alter the build process should be prefixed with `build/`, so
      # that this workflow runs.
      - 'build/**'
  workflow_call:
  workflow_dispatch:

jobs:
  php:
    name: PHP
    uses: ./.github/workflows/php-windows.yml

  app:
    name: App
    runs-on: windows-latest
    needs:
      - php
    steps:
      - uses: actions/checkout@v4

      - name: Download Composer
        uses: robinraju/release-downloader@v1
        with:
          repository: composer/composer
          latest: true
          fileName: composer.phar
          out-file-path: bin

      - name: Download PHP interpreter
        uses: actions/download-artifact@v4
        with:
          name: php-windows

      - name: Prepare binaries
        shell: bash
        run: mv php.exe bin

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: latest

      - name: Set up Yarn
        run: |
          corepack enable
          yarn set version berry

      - name: Cache dependencies
        id: cache
        uses: actions/cache@v4
        with:
          path: node_modules
          key: yarn-${{ runner.os }}-${{ hashFiles('yarn.lock') }}

      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
        run: yarn install

      - name: Create application bundle
        env:
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
        run: yarn run make

      - name: Delete PHP interpreter artifacts
        uses: geekyeggo/delete-artifact@v5
        with:
          name: php-windows

#      - name: Code signing
#        uses: azure/[email protected]
#        if: startsWith(github.ref, 'refs/tags/')
#        with:
#          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
#          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
#          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
#          endpoint: https://wus2.codesigning.azure.net/
#          trusted-signing-account-name: da-trusted-signing-001
#          certificate-profile-name: drupal-association-cert-profile
#          files-folder: "./dist"
#          files-folder-filter: exe,dll
#          file-digest: SHA256
#          timestamp-rfc3161: http://timestamp.acs.microsoft.com
#          timestamp-digest: SHA256

      - name: Upload archive
        uses: actions/upload-artifact@v4
        with:
          name: app-windows
          path: './dist/*.exe'
          # The executable is already compressed.
          compression-level: 0
          overwrite: true

I am using Electron Builder 26.0.14.

[mmaietta]

Can you add env var DEBUG=electron-builder and post back the excerpt with the errors logged?

The current error message in your post doesn't provide much insight as to what failed, just that the overall command failed. What was the rest of the error message?